The Spanish Privacy Authority – Agencia Española de Protección de Datos (AEPD) – has published an interesting guideline on the principle of personal data protection by default, known as (privacy) Data-Protection-by-Default, article 26.2 GDPR. This guideline presents itself as a “practical course” in order to help data controller in being in compliance with the GDPR disposals and the guidelines of the European Data Protection Board.
Anyway, the recipients of the guideline are not only the data controllers, but also the data protection officers. In addition – by following an extensive interpretation – the Madrid Privacy Authority obliged to extend the guideline also to data processors (developers or suppliers), in the way in which they offer goods and services to data controllers.
Personal data protection by default means that need to be processed personal data strictly necessary and sufficient for each processing’s aim.
For this reason, regardless of the conjunction of data recollected by the data controller, this last one need to segment the use of data among the different operations of processing and among the different phases of processing, in this way not all operations carried out as part of a processing operation are carried out on all data, but only on those that are necessary and at the times strictly necessary.
The Iberian Privacy Authority recalls that the GDPR requires the data controller to configure the processing “by-Default” in compliance with the principles applicable to the processing of personal data (Art. 5 GDPR), aiming at “minimally intrusive” processing (minimum use of personal data, “limited” data processing, limited data retention period and “minimum” accessibility to personal data). As stated by the European Data Protection Committee in its Guidelines 4/2019, the implementation of these measures focuses on optimization, configurability and limitation strategies.
The aim of optimisation is to analyse the processing from a data protection point of view, which means applying measures in relation to the amount of data collected, the extent of processing, its storage and its accessibility.
The second strategy is the configuration of services, systems or applications, which must make it possible to establish parameters or options that determine how the processing is to be carried out, and which are likely to be modified by the data controller and the data subject himself. The limitation, on the other hand, ensures that by default the processing is as respectful of data protection as possible, so that the configuration options are adequate “from the outset” to those values that limit the amount of data collected, the extent of the processing, its storage and its accessibility.
The Guide also includes an amendable document with measures to be taken to implement data protection strategies by default. In particular, these are measures relating to the amount of personal data collected; the extension of the duration of processing; the period of retention or accessibility of the data. The Guide also includes a chapter on the documentation to be kept, which is necessary in order to demonstrate compliance with the legislation (principle of accountability or responsibility, Art. 5.2 GDPR).
Finally, the Madrid Privacy Authority recalls that this principle is one of the principles that integrates with the rest of the guarantees established by the GDPR, with the GDPR itself allowing different approaches and alternatives in the implementation of this principle.
The Agencia stresses that data controllers and data controllers must always take the principle of data protection into account by default in their activities. Another important conclusion is that this principle must be applied whenever personal data are processed, regardless of their nature. The establishment of this principle is not the result of an analysis of the risks to rights and freedoms, but rather a measure to be implemented in all cases. SOURCE: FEDERPRIVACY